Project

General

Profile

Actions
Copy link

Bug #7530

closed

Kerberos: sname/cname code and suricata documentation both wrong

Added by campbell robertson 5 months ago. Updated 3 days ago.

Status:
Rejected
Priority:
Normal
Assignee:
OISF Dev
Target version:
TBD
Affected Versions:
Effort:
Difficulty:
Label:
Beginner

Description

In the suricata documentation the cname and sname are described as client and server name. https://docs.suricata.io/en/latest/rules/kerberos-keywords.html
But the suricata code in github, describe the krb5_cname and krb5_sname as their respective principal name:

These were contradicting, so we did a test and it looks like the the krb5_cname is the client service principal and the sname is the destination server, so it appears that both the docs and the code documentation is wrong.

Files

Screenshot 2025-01-30 at 1.47.18 PM.png (52.5 KB) Screenshot 2025-01-30 at 1.47.18 PM.png campbell robertson, 01/30/2025 07:47 PM

Related issues 1 (1 open0 closed)

Related to Suricata - Documentation #6566: userguide: add description for missing EVE krb fieldsIn ReviewPhilippe AntoineActions
Actions
Copy link
 #1

Updated by Victor Julien 5 months ago

@Pierre Chifflier can you have a look?

Actions
Copy link
 #2

Updated by Philippe Antoine 3 days ago

Actions
Copy link
 #3

Updated by Philippe Antoine 3 days ago

  • Status changed from New to Rejected

For what I understand cname and sname in Suricata are the same as in the RFC 4120

For example cname is described there as :

This field contains the name part of the client's principal identifier.

So, all looks good to me, but I may be wrong :
If you have a pcap where you get a different value than expected for cname or sname, please provide it

If you have a better wording for docs or code comments, a PR is welcome

Feel free to reopen if you have more details

Actions
Copy link

Also available in: Atom PDF